b"                Briefing Report\n\n\n\n\nThe SBA\xe2\x80\x99s Loan Management and Accounting System \xe2\x80\x93\n        Incremental Improvement Projects\n\x0c                                 U.S. Small Business Administration\n                                     Office of Inspector General\n                                       Washington, D.C. 20416\n\n\n                                                                                Report Transmittal\n                                                                                    Report No. 13-11\n\nDate:           March 12, 2013\n\nTo:             Paul T. Christy\n                Chief Operating Officer\n\nSubject:        The Small Business Administration\xe2\x80\x99s Loan Management and Accounting System\n                Incremental Improvement Projects\n\nThis report presents the results of our review of the Small Business Administration\xe2\x80\x99s effort to mod-\nernize its loan management system and migrate off the mainframe environment. Specifically, this\nreport addresses issues identified in the planning, management, and oversight of SBA\xe2\x80\x99s ongoing mi-\ngration efforts. We have incorporated the formal comments from the Chief Operating Officer and\nthe Executive Steering Council into this report.\n\nPlease provide your response to this report for each recommendation on the attached SBA Forms\n1824, Recommendation Action Sheet, by April 11, 2013.\n\nConsistent with OMB Circular A-50, your response should include the corrective action(s) taken or\nplanned for each recommendation and the target date(s) for completion. If you disagree with the\nrecommendations, please fully explain the reasons for disagreement. Please include the legal basis\nfor disagreement based on interpretation of law, regulations, or the authority of officials to take or\nnot take action. You may also propose alternative actions to those recommended that you believe\nwould better address the issues presented in this report.\n\nIn order to fulfill our responsibility under the Inspector General Act, we are providing copies of our\nreport to the appropriate congressional committees responsible for oversight of the Small Business\nAdministration. We will also post this report on the Office of Inspector General website for public\ndissemination.\n\nWe appreciate the courtesies and cooperation of the Office of Capital Access and the Office of the\nChief Information Officer during this review. If you have any questions concerning this report,\nplease call me at (202) 205-7390 or Jeffrey Brindle, Director, Information Technology and Financial\nManagement Group, (202) 205-7490.\n\n                                                  ***\n\n\n/s/\nJohn K. Needham\nAssistant Inspector General for Auditing\n\x0cBriefing Report\nTable of Contents\nHighlights ............................................................................................................................................... 3\n\nBackground ............................................................................................................................................ 4\n\nApproach ................................................................................................................................................ 5\n\nOverall Results ....................................................................................................................................... 5\n\nFinding 1: The SBA Needs an Incremental Improvement Project to Migrate New Software ......... 6\n\nFinding 2: The Scope of the Root Cause Analysis Project was Changed ........................................... 6\n\nFinding 3: The SBA\xe2\x80\x99s Loan Management and Accounting System Incremental Improvement\nProjects ................................................................................................................................................... 7\n\nFinding 4: Quality Assurance Program Did not Exist ......................................................................... 8\n\nFinding 5: Independent Verification and Validation Program Did Not Exist ................................... 9\n\nAgency Comments and Office of Inspector General Response ......................................................... 10\n\nAppendix I: Agency Comments .......................................................................................................... 12\n\n\n\n\n                                                                                   2\n\x0cHighlights\n\nWhy the OIG Performed this Review\nSince 2004, a significant management challenge\n                                                           The SBA\xe2\x80\x99s Progress in Reducing Mainframe\nfacing the SBA is the modernization of the loan\n                                                           Transactions\naccounting process, where the Loan Accounting\nSystem is the central hub. The Loan Accounting             \xef\x82\xb7     10.29 million transactions were processed on\nSystem processed and managed a loan portfolio                    SBA\xe2\x80\x99s mainframe during the last six months of\ntotaling over $99 billion in FY 2011.                            FY 2011.\n                                                           \xef\x82\xb7     5.79 million transactions were processed on\nWhat the OIG Reviewed                                            SBA\xe2\x80\x99s mainframe during the last six months of\nThe OIG reviewed the Loan Management                             FY 2012.\nAccounting System \xe2\x80\x93 Incremental Improvement                           \xef\x80\xad This decrease represents a 44%\nProjects (LMAS-IIPs), which included the:                                 reduction of mainframe utilization\n                                                                          from FY 2011 to FY 2012.\n\xef\x82\xb7   Systems Development Life Cycle                         \xef\x82\xb7     All User Interface transactions are scheduled\n                                                                 to be migrated off the mainframe by\n    deliverables and documentation for LMAS\n                                                                 September 2013.\n    incremental projects.\n\xef\x82\xb7   Root Cause Analysis and User Interface\n    Migration.\n\xef\x82\xb7   Implementation and operation of a Quality          During our review of the LMAS IIPs, the OIG also\n    Assurance (QA) program and an                      found that:\n    Independent Verification and Validation\n    (IV&V) program for the LMAS-IIPs.                  \xef\x82\xb7       The SBA did not have an incremental\n                                                               improvement project to migrate its newly\nWhat the OIG Found                                             created COBOL code into production.\nThe OIG found that the SBA successfully                \xef\x82\xb7       The Root Cause Analysis Project had been\nmigrated the data-entry of over 44% of its loan                altered from its initially approved project.\nand lending transactions from mainframe data-          \xef\x82\xb7       The User Interface Migration Project screens\nentry to web-based data entry, the first step in               were not security tested and validated.\nfully migrating off SBA\xe2\x80\x99s legacy mainframe and         \xef\x82\xb7       The QA and IV&V programs did not exist.\nutilizing updated technology.\n                                                       The LMAS-IIP is A Major\n                                                       Management Challenge for the SBA\n                                                       The LMAS-IIP is addressed in Challenge 8 of the\n         Reduction of Mainframe\n                                                       OIG\xe2\x80\x99s annual report The Most Serious\n         Transactions in Millions                      Management Challenges Facing the SBA, \xe2\x80\x9cThe\n    11                                                 SBA needs to modernize its Loan Accounting\n                  10.29                                System and migrate it off the mainframe.\xe2\x80\x9d\n    10\n    9                                                  Similar issues in this challenge are related to:\n    8\n                                                       \xef\x82\xb7       planning the migration off the mainframe,\n    7                                                          and\n    6                                                  \xef\x82\xb7       quality assurance and independent\n                                     5.79\n                                                               verification and validation.\n    5\n              2011               2 012\n\n                                                   3\n\x0cBackground\n\nThe Loan Management and                                   The LMAS Incremental Improvement\nAccounting System (LMAS)                                  Projects (IIPs)\nSince 2004, one of the single greatest manage-            The LMAS-IIPs were designed to be a series of\nment challenges facing the SBA is the moderni-            focused and cost-effective projects to upgrade\nzation of the loan accounting process, where the          existing financial software and application mod-\nLoan Accounting System serves as the central              ules in the SBA\xe2\x80\x99s Loan Accounting System that\nhub. The Loan Management Accounting System                included:\nis:\n                                                          \xef\x82\xb7   Migrating these modules off of SBA\xe2\x80\x99s outdat-\n\xef\x82\xb7   A collection of transaction data entry screens            ed mainframe environment;\n    for SBA loan and lending transactions that            \xef\x82\xb7   The development and migration of user in-\n    are directly entered into the mainframe for               terface screens from SBA\xe2\x80\x99s mainframe to\n    processing.                                               newer technology (in its most recent itera-\n\xef\x82\xb7   A daily cycle of loan and lending transac-                tion), and\n    tions\xe2\x80\x95 processed nightly\xe2\x80\x95 that update the             \xef\x82\xb7   Conforming with OMB\xe2\x80\x99s Memorandum\n    database and includes information from oth-               10-26, Immediate Review of Financial Sys-\n    er SBA systems.                                           tems IT Projects, which requires agencies to\n                                                              split large development projects into smaller\nThe Loan Management Accounting System pro-                    simpler segments with clear deliverables.\ncessed and managed a loan portfolio that totaled\nover $99 Billion in FY 2011.\n\n\n\nLMAS-IIP                  Description                                                          Status\n\nComplete the R12          Upgrade SBA\xe2\x80\x99s administrative accounting and management sys-          Completed\nupgrade                   tem to Oracle Financials.\n\nMigrate Denver Finance    Migrate SBA\xe2\x80\x99s legacy databases at its Denver office to its current   In process\nfrom Sybase to Oracle     database infrastructure.\n\nMigration of user         To migrate all user interface components from the legacy main-       Nearing\ninterfaces                frame platform to SBA\xe2\x80\x99s current web-based infrastructure.            Completion\n\nCOBOL Port                Convert the Unisys proprietary COBOL code to a version of            In process\n                          COBOL compatible with UNIX.\n\nDocument Loan             Document the new processes in order to capture and transfer          In process\nAccounting                knowledge about the new LMAS environment.\n\nRoot Cause Analysis       Analyze remaining issues and develop plans to prioritize addi-       Scope changed\n                          tional projects to address SBA\xe2\x80\x99s most important business needs.\n\nImplement                 Implement the improvements identified by the root cause analy-       Not started\nImprovements              sis and the analysis of new processes.\n\n\n\n                                                      4\n\x0cApproach                                               Overall Results\n\nObjective                                              This evaluation covered the period from\n                                                       January 2011, when OMB granted approval of the\nThe objective of the OIG Review was to deter-          LMAS-IIP, and November 2012 when we complet-\nmine the progress of the Loan Management               ed fieldwork.\nAccounting System Program (LMAS) \xe2\x80\x93 Incre-\nmental Improvement Projects (IIP) since the            In Fiscal Year 2012, the SBA successfully migrated\nissuance of Audit Report 10-14, Adequacy of            the data-entry of 44% of its loan and lending\nQuality Assurance Oversight of the Loan                transactions from its mainframe data-entry to\nManagement Accounting System Project on                web-based data-entry.\nSeptember 13, 2010.\n                                                       This migration was a successful first step in fully\n                                                       migrating off SBA\xe2\x80\x99s legacy mainframe and utiliz-\nScope and Methodology\n                                                       ing updated technology.\nWe performed our review in accordance with             The OIG identified five findings that put the de-\nQuality Standards for Inspections and Evalua-          velopment of this project at risk for not meeting\ntions issued by the Council of Inspectors Gener-       the needs and expectations of the SBA, the Office\nals on Integrity and Efficiency.                       of Management and Budget (OMB), and Con-\n                                                       gress. These findings discussed, discussed fur-\nTo conduct our evaluation, we examined:                ther below, are as follows:\n\n\xef\x82\xb7   The SBA\xe2\x80\x99s progress against open audit rec-         \xef\x82\xb7   The first issue was that the SBA does not\n    ommendations and challenge #8 of the                   have an incremental improvement project to\n    FY 2012 Report on the Most Serious Manage-             migrate its newly created COBOL code into\n    ment and Performance Challenges Facing the             production.\n    Small Business Administration, \xe2\x80\x9cThe SBA            \xef\x82\xb7   The second issue concerned the Gap Analysis\n    needs to modernize its Loan Accounting                 and Strategic Planning Project for the\n    System and migrate off the mainframe.\xe2\x80\x9d                 LMAS-IIP, which included a Root Cause\n\xef\x82\xb7   The interim progress of the ongoing                    Analysis, as approved by the SBA\xe2\x80\x99s Business\n    LMAS-IIPs.                                             Technology Investment Council (BTIC) and\n                                                           OMB.\nTo determine progress we compared agency               \xef\x82\xb7   The third issue related to the LMAS-IIP User\nactions against criteria set by OMB Memoranda,             Interface Migration project screens, which\nNIST Special Publications, and SBA Standard                were not tested and validated by the SBA\xe2\x80\x99s\nOperating Procedures.                                      Office of Chief Information Officer, Infor-\n                                                           mation Security.\n                                                       \xef\x82\xb7   The fourth and fifth issues related to the\n                                                           LMAS-IIP Quality Assurance (QA) and Inde-\n                                                           pendent Verification and Validation (IV&V)\n                                                           programs, which did not exist during the\n                                                           LMAS-IIP.\n\n\n\n\n                                                   5\n\x0cFindings 1 & 2\n\nFinding 1: The SBA Needs to Create                     \xef\x82\xb7   There is currently no LMAS project to mi-\nan additional Incremental                                  grate the batch COBOL systems from the\nImprovement Project to Migrate its                         legacy platform to a more up-to-date and\nnew COBOL Code into Production                             non-proprietary production environment.\n                                                       \xef\x82\xb7   The current COBOL Port IIP identifies the\nThe SBA does not have an IIP, as recommended               code converted into a test environment but\nby OMB, to migrate its newly created COBOL                 never specifically identifies implementing\ncode into production.                                      the new code into production, which is nec-\n                                                           essary for the LMAS to be functional.\n\xef\x82\xb7   Currently, the SBA has an IIP (the COBOL\n    Port) to convert its Loan Accounting System        As a result, the SBA may be developing code\n    with proprietary COBOL code to a version           that might not be implemented in its computing\n    of COBOL that is compatible with UNIX.             environment.\n    This conversion of COBOL code, if imple-\n    mented on a new processing platform,               Recommendation 1\n    would allow the SBA to fully migrate off its\n    legacy mainframe environment to a more             We recommend that the SBA adopt a new IIP\n    up-to-date and non-proprietary COBOL               under LMAS to facilitate the transfer of data and\n    environment.                                       move its new COBOL code to a full production\n\xef\x82\xb7   The absence of an improvement project oc-          environment.\n    curred because existing project plans did\n    not include production use of the newly                                   ***\n    ported COBOL code.\n                                                       Finding 2: The Scope of the Root\nAccording to OMB Memorandum 10-26, Imme-\n                                                       Cause Analysis Project was Changed\ndiate Review of Financial Systems IT Projects:\n                                                       to Only Review Funds Control and\n\xef\x82\xb7   Agencies should prioritize their needs and         Develop a Data Dictionary\n    functionality to focus on the most critical\n    business needs to avoid cost overruns and\n    lengthy delays.                                    The LMAS-IIP Root Cause Analysis Project, as\n\xef\x82\xb7   The most critical functionality should be          approved by the SBA\xe2\x80\x99s BTIC and OMB, had been\n    delivered first, and functions of lesser im-       altered from its initially approved project \xe2\x80\x94\n    portance can be considered for subsequent          analyzing the completed IIPs and making rec-\n    delivery.                                          ommendations on new potential IIPs\xe2\x80\x94to two\n                                                       projects on (1) funds control and (2) the devel-\nThe SBA briefed OMB in March 2012 on the sta-          opment of a data dictionary.\ntus of the LMAS project. The SBA recognized\nthe importance of migrating the batch COBOL            The OMB\xe2\x80\x99s Memorandum 10-26 requires that\nsystems from the legacy platform to a more             after the most critical functional needs are in\nup-to-date and non-proprietary COBOL envi-             place, further prioritization of secondary needs\nronment.                                               should be performed. Therefore, revised pro-\n                                                       jects plans should prioritize the most critical\nWe analyzed the seven IIPs and determined              remaining financial functions.\nthat:\n\n                                                   6\n\x0c                                                                                        Finding 3\n\nThe change of the scope of the Root Cause Anal-\nysis occurred without BTIC approval. The origi-         Finding 3: New LMAS User Interface\nnal purpose of the Root Cause Analysis was to           Screens were not Validated and Tested\nidentify areas where completed IIPs had remain-         by OCIO\xe2\x80\x94IT Security Before They\ning issues or desired enhancements.                     Were Put into Production\n\xef\x82\xb7   Any gaps that were not addressed by the             The SBA had implemented new LMAS user inter-\n    completed IIPs would be identified and ad-          face screens as early as October 15, 2011. However,\n    dressed in future projects.                         the SBA did not perform a security impact analy-\n\xef\x82\xb7   The original Root Cause Analysis was done           sis on these new user interface screens before\n    to ensure that the LMAS-IIPs would meet             they were put into production. Therefore, the\n    full potential, and successfully migrate off        SBA unintentionally invalidated the Electronic\n    SBA\xe2\x80\x99s mainframe computer system.                    Transaction (E-Tran) System Authority-to-\n                                                        Operate since they did not test the LMAS screens\nThe reduced scope of the Root Cause Analysis            before they were put into production.\ncreated a situation in which the LMAS-IIPs no\nlonger had the capability to analyze identified         The OCIO\xe2\x80\x94IT Security was unaware that the\nissues and develop plans to prioritize additional       new LMAS user interface screens had entered into\nprojects to address SBA\xe2\x80\x99s most important busi-          production in the E-Tran System when we first\nness needs.                                             met with them in August 2012. As a result of our\n                                                        meeting, IT Security notified us that they would\nRecommendation 2                                        immediately address this with the LMAS Project\n                                                        Director and have a Security Impact Analysis per-\nWe recommend that the SBA ensure that the               formed on the LMAS-IIP user interface screens.\nRoot Cause Analysis IIP be revised so that it\nconforms to the scope originally approved by            Under the Federal Information Security Manage-\nthe BTIC. The Root Cause Analysis should:               ment Act, LMAS user interface screens are re-\n                                                        quired to be validated and tested as a part of a\n(1) identify the most critical business needs of        major modification to the E-Tran system Authori-\n    the SBA;                                            ty-To-Operate before the new User Interface\n(2) analyze remaining issues when each LMAS-            Screens are put into production. Further, the\n    IIP is completed; and                               NIST Special Publication, Guide for Applying the\n(3) develop plans to prioritize additional pro-         Risk Management Framework to Federal Infor-\n    jects to address SBA\xe2\x80\x99s most important busi-         mation Systems (SP 800-37), requires that:\n    ness needs.\n                                                        \xef\x82\xb7   A security impact analysis should be conduct-\n                                                            ed by the organization when changes are pro-\n                       ***\n                                                            posed to determine the extent changes to the\n                                                            information system affect the security of the\n                                                            system.\n                                                        \xef\x82\xb7   The information system owner should consult\n                                                            with appropriate organizational officials prior\n                                                            to implementing any security-related changes\n                                                            to the information system or its operating\n                                                            environment.\n\n\n                                                    7\n\x0cFinding 4\n\nRecommendation 3                                          the QA team functions. A functioning QA pro-\n                                                          gram would have identified and reported to the\nWe recommend that the Office of Chief Infor-              LMAS Executive Steering Committee the major\nmation Officer\xe2\x80\x94IT Security perform a Security             scope changes to the Root Cause Analysis IIP as\nImpact Analysis on the E-Tran user interface              identified in Finding 2 in this report.\nscreens to determine the security implications of\n                                                          The SBA\xe2\x80\x99s Standard Operating Procedure 90 41\nthe new user interface screens.\n                                                          0, Procedures for Managing and Assessing the\n                                                          Quality of SBA Information Technology Projects\nRecommendation 4                                          states that the purpose of the IT QA program is\n                                                          to:\nWe recommend that the Office of Chief Infor-\nmation Officer\xe2\x80\x94 IT Security, in conjunction with          1) provide clear guidance in the delivery of\nthe SBA Office of Capital Access, initiate the pro-          quality IT deliverables,\ncess of reauthorization of E-Tran for operation           2) ensure quality in the acquisition, design,\ndue to the changes to the operating environment.             development, testing, implementation and\n                                                             operation of IT programs, and\n                        ***                               3) conduct QA assessments on Agency IT ac-\n                                                             quisitions, investments, programs, projects\nFinding 4: The LMAS-IIP Quality                              and operations.\nAssurance Program Did Not Exist At\nthe Time of Our Review                                    Additionally, according to OMB Memorandum\n                                                          10-26, Immediate Review of Financial System IT\n                                                          Projects, ongoing, transparent system oversight\n                                                          is required of all agencies. Specifically, agencies\nThe LMAS-IIP Quality Assurance (QA) program               should identify, up-front, a series of milestones,\ndid not exist during the time of our review. This         warning flags, and stop-points, which, if deemed\nresulted in a lack of adequate systems develop-           necessary, can cause a project to be suspended\nment project oversight. Without an effective QA           and returned to planning. This is of particular\ncapability, an independent advisor reporting on           concern since our prior audit on LMAS1 reported\ncompliance with BTIC and LMAS Executive Steer-            that:\ning Committee mandates did not exist.\n                                                          \xef\x82\xb7    Although a QA manager was added to the\nWe requested all QA assessments of the                         project, he was unable to dedicate a suffi-\nLMAS-IIP Program from the QA Manager.                          cient amount of time to the project due to\nNo QA assessments were provided during the                     his other workload demands, and\ntimeframe of our review. The QA manager ex-\nplained that:                                             \xef\x82\xb7    The SBA\xe2\x80\x99s management stated they would\n                                                               add a full-time QA Manager responsible for\n\xef\x82\xb7Along with his other duties, he did not have ade-             the IT QA program, and additional re-\nquate resources to perform QA reviews of LMAS-                 sources, such as contracted support specific\nIIP deliverables, and that the SBA was in the pro-             to the LMAS IT QA function.\ncess of obtaining contractor support to perform\n\n1\n OIG Audit Report 10-14, Adequacy of Quality Assurance Oversight of the Loan Management Accounting\nSystem Project, issued September 13, 2010.\n                                                      8\n\x0cFinding 5\n\nRecommendation 5                                       The QA manager, who also manages the IV&V\n                                                       program, explained that:\nWe recommend that the Office of Chief Infor-\nmation Officer implement a Quality Assurance           \xef\x82\xb7   Adequate resources to perform IV&V reviews\nprogram that reports compliance at the project             of LMAS-IIP deliverables were not obtained,\nlevel to the ESC and the BTIC, at regular inter-           and that the SBA was in the process of obtain-\nvals.                                                      ing contractor support to perform IV&V func-\n                                                           tions.\n                       ***\n                                                       During IV&V testing, a functioning IV&V Program\n                                                       should have found that the SBA\xe2\x80\x99s IT Security\nFinding 5: The LMAS-IIP Independent                    Office had not been a member of the LMAS-IIP\nVerification and Validation Program                    and had not performed a Security Impact Analysis\nDid Not Exist                                          on LMAS user interface screens.\n\n                                                       The lack of an IT Independent Verification and\nThe SBA did not have an operational Independ-          Validation program is of concern since our prior\nent Verification and Validation program, a key         audit on LMAS (See Footnote 1), since:\noversight component, during the LMAS-IIP. As\na result, there is less assurance that LMAS-IIP        \xef\x82\xb7   Eliminating IV&V testing for the LMAS pro-\ndeliverables meet their user and security re-              ject, the SBA is at risk of deploying a mission\nquirements before being implemented into pro-              critical system with undetected errors and\nduction.                                                   with limited assurances that program and\n                                                           functional requirements are fully satisfied.\nThe SBA\xe2\x80\x99s Standard Operating Procedure                 \xef\x82\xb7   The SBA responded to the prior audit by stat-\n90 41 0\xe2\x80\x94Procedures for Managing and Assessing              ing that LMAS would conform to the QA\nthe Quality of SBA Information Technology Pro-             Standard Operating Procedures when those\njects\xe2\x80\x94provides guidance on SBA\xe2\x80\x99s IT Inde-                  procedures became effective.\npendent Verification and Validation\n(IV & V) program:                                      Recommendation 6\n\n                                                       We recommend that the Office of Chief Infor-\n\xef\x82\xb7   Independent Verification and Validation is\n                                                       mation Officer implement an Independent Verifi-\n    the process of contracting with an inde-\n                                                       cation and Validation program for the LMAS-IIP\n    pendent source to verify and validate that\n                                                       that tests and validates that each IIP meets its pro-\n    the IT deliverables meet the requirements as\n                                                       gram and functional requirements.\n    outlined in the contract or statement of\n    work [or project requirements].\n\nWe requested all IV&V reports of the LMAS-IIP\nProgram from the program manager, but no\nreports were provided during our review.\n\n\n\n\n                                                   9\n\x0cAgency Comments: Recommendations 1-4\n\n                                                           Agency Comments: The ESC concurs that the\n                                                           Root Cause Analysis project should address\n   We provided a draft of this report to the SBA\n                                                           SBA\xe2\x80\x99s most important business needs\xe2\x80\xa6.SBA\xe2\x80\x99s\n      Chief Operating Officer (COO) dated\n                                                           remaining issues are analyzed and prioritized\nJanuary 23, 2013. On February 25, 2013, the COO\n                                                           within each SBA organization\xe2\x80\x99s operations and\n    submitted formal comments for the LMAS\n                                                           maintenance activities.\n  Executive Steering Committee (ESC) which are\n included in their entirety in the appendix to this\n                                                           OIG Response: We consider management\xe2\x80\x99s\nreport. The ESC concurred with our findings and\n                                                           comments to be responsive to the recommen-\nrecommendations. A summary of management\xe2\x80\x99s\n                                                           dation.\n comments, followed by our responses are below.\n                                                                                  ***\n                                                           Recommendation 3\n\n                                                           We recommend that the Office of Chief Infor-\nRecommendation 1                                           mation Officer IT Security perform a Security\n                                                           Impact Analysis on the E-Tran user interface\nWe recommend that the SBA adopt a new Incre-               screens to determine the security implications of\nmental Improvement Project under LMAS to fa-               the new user interface screens.\ncilitate the transfer of data and move its new\nCOBOL code to a full production environment.               Agency Comments: The ESC concurs with the\n                                                           recommendation for IT Security to perform a\nAgency Comments: The ESC concurs. This                     Security Impact Analysis on E-TRAN.\neffort will be aligned with the agency\xe2\x80\x99s overall\ndata center consolidation strategy.                        OIG Response: We consider management\xe2\x80\x99s\n                                                           comments to be responsive to the recommen-\nOIG Response: We consider management\xe2\x80\x99s                     dation.\ncomments to be responsive to the recommenda-                                      ***\ntion.                                                      Recommendation 4\n                       ***\nRecommendation 2                                           We recommend that the Office of Chief Infor-\n                                                           mation Officer IT Security, in conjunction with\nWe recommend that the SBA ensure that the                  the SBA Office of Capital Access, initiate the pro-\nRoot Cause Analysis Project conforms to the                cess of reauthorization of E-Tran for operation\nscope originally approved by the BTIC. The Root            due to the changes to the operating environ-\nCause Analysis should:                                     ment.\n\n(1) identify the most critical business needs of           Agency Comments: The ESC concurs with the\n    the SBA;                                               recommendation for IT Security to perform\n(2) analyze remaining issues when each LMAS-               reauthorization of E-TRAN.\n    IIP is completed; and\n(3) develop plans to prioritize additional projects        OIG Response: We consider management\xe2\x80\x99s\n    to address SBA\xe2\x80\x99s most important business               comments to be responsive to the recommen-\n    needs.                                                 dation.\n                                                                                  ***\n\n\n                                                      10\n\x0cAgency Comments: Recommendations 5 & 6\n\nRecommendation 5\nWe recommend that the Office of Chief Infor-\nmation Officer implement a Quality Assurance\nprogram that reports compliance at the project\nlevel to the ESC and the BTIC, at regular inter-\nvals.\n\nAgency Comments: The ESC concurs with the\nrecommendation for OCIO to implement a QA\nprogram that reports at the project level to the\nESC and BTIC.\n\nOIG Response: We consider management\xe2\x80\x99s\ncomments to be responsive to the recommenda-\ntion.\n\n                       ***\n\nRecommendation 6\nWe recommend that the Office of Chief Infor-\nmation Officer implement an Independent Verifi-\ncation and Validation program for the LMAS-IIP\nthat tests and validates that each IIP meets its\nprogram and functional requirements.\n\nAgency Comments: The ESC concurs with the\nrecommendation for OCIO to implement an\nIndependent Verification and Validation pro-\ngram for the LMAS-IIP that tests and validates\nthat each IIP meets its program and functional\nrequirements.\n\nOIG Response: We consider management\xe2\x80\x99s\ncomments to be responsive to the recommenda-\ntion.\n\n\n\n\n                                                   11\n\x0c                           U.S. Small Business Administration\n                                   W ASHINGTON, D.C. 20416\n\n\n\n    DATE:          February 25, 2013\n       TO:         John K. Needham\n                   Assistant Inspector General for Auditing\n    FROM:          Paul Christy\n                   Chief Operating Officer\n SUBJECT:          SBA Response to Briefing Report for the SBA's LMAS/IIP's\n       CC:         Marie Johns, Deputy Administrator\n                   Stephen Kucharski, Office of Capital Access\n\n\n    This memo transmits SBA\xe2\x80\x99s response and comments to the findings and recommendations\nincluded in your draft Briefing Report for The SBA Loan Management and Accounting System\n(Project No. 12-012).\n\n   The LMAS project team met with the Executive Steering Council (ESC) and briefed the\nESC and its chair, Deputy Administrator Marie Johns. The ESC approved the management re-\nsponses and the expanded document which is attached to this memo.\n\n    The ESC looks forward to working with you and your team to continually assess and moni-\ntor the successful completion of this critical project.\n\n\n\nAttachment\n\n\n\n\n                                             12\n\x0c                        `\n\n\n\n\n        U.S. Small Business Administration\n\n\n\n\nResponse to Office of Inspector General (OIG)\n              Project No, 12-012\n               February 25, 2013\n\n\n\n\n                        13\n\x0c    Contents\n    1. Executive Summary ....................................................................................... 2\n\n    2. Background ................................................................................................... 3\n\n    3. Response to OIG Recommendations ............................................................. 4\n\n    3.1. Recommendation 1 Response .................................................................... 4\n\n    3.2. Recommendation 2 Response .................................................................... 4\n\n    3.3. Recommendation 3 Response .................................................................... 4\n\n    3.4. Recommendation 4 Response .................................................................... 4\n\n    3.5. Recommendation 5 Response .................................................................... 5\n\n    3.6. Recommendation 6 Response .................................................................... 5\n\n\n\n\n1\n\n                                                           14\n\x0c1. Executive Summary\nThis document is intended to respond to the Office of Inspector General\xe2\x80\x99s (OIG) report for project\nnumber 12-012 dated January 23, 2013. The report presents OIG\xe2\x80\x99s findings on a review of the SBA\xe2\x80\x99s\nLoan Management and Accounting System (LMAS) Incremental Improvement Projects (IIPs).\nThe OIG findings include:\n     \xef\x82\xb7 SBA does not have an IIP to migrate its newly created COBOL code into production;\n     \xef\x82\xb7 Root Cause Analysis project has been altered from its initially approved project;\n     \xef\x82\xb7 Screens migrated from the User Interface Migration project were not security tested and\n       validated;\n     \xef\x82\xb7 Quality Assurance (QA) and Independent Verification and Validation (IV&V) program did not\n       exist during the review of the LMAS-IIPs.\n\nTo address the above findings, OIG has made the following recommendations:\n     \xef\x82\xb7 Recommendation 1: We recommend that the SBA adopt a new Incremental Improvement\n        Project under LMAS to facilitate the transfer of data and move its new COBOL code to a full\n        production environment.\n     \xef\x82\xb7 Recommendation 2: We recommend that the SBA ensure that the Root Cause Analysis\n        Project conforms to the scope originally approved by the BTIC. The Root Cause Analysis\n        should: (1) identify the most critical business needs of the SBA; (2) analyze remaining issues\n        when each LMAS IIP is completed; and (3) develop plans to prioritize additional projects to\n        address SBA\xe2\x80\x99s most important business needs.\n     \xef\x82\xb7 Recommendation 3: We recommend that the Office of the Chief Information Officer IT\n        Security perform a Security Impact Analysis on the E-Tran user interface screens to\n        determine the security implications of the new user interface screens.\n     \xef\x82\xb7 Recommendation 4: We recommend that the Office of the Chief Information Officer IT\n        Security, in conjunction with the SBA Office of Capital Access, initiate the process of\n        reauthorization of E-Tran for operation due to the changes to the operating environment.\n     \xef\x82\xb7 Recommendation 5: We recommend that the Office of the Chief Information Officer\n        implement a Quality Assurance program that reports compliance at the project level to the\n        ESC and the BTIC, at regular intervals.\n     \xef\x82\xb7 Recommendation 6: We recommend that the Office of the Chief Information Officer\n        implement an Independent Verification and Validation program for the LMAS IIP that tests\n        and validates that each IIP meets its program and functional requirements.\nThe LMAS IIP Executive Steering Committee (ESC) chaired by the Deputy Administrator, Marie Johns,\nreviewed the recommendations on February 8th. The ESC\xe2\x80\x99s response to each recommendation is\noutlined in section 3.\n\n\n\n2\n\n                                                  15\n\x0c    2. Background\n           The table below identifies the offices that own each project. All the projects are gov-\n    erned by the LMAS-IIP Executive Steering Council (ESC) and are subject to review by the OIG.\n    In August 2012, OIG began an audit of LMAS IIP. The initial results were briefed on\n    December 17, 2012.\n\n\n                                     Table I: LMAS-IIP Project Owners\n     IIP Project                                             Owner\n\n     R12                                                     Office of the Chief Financial Officer (OCFO)\n\n     Incremental Migration of User Interfaces                Office of Capital Access (OCA)\n\n     Port to New Version of COBOL                            OCA\n\n     Migrate from Sybase to Oracle                           OCFO\n\n     Perform Root Cause Analyses                             OCFO\n\n     Implement Improvements                                  OCFO\n\n     Document New Environment (Loan Accounting)              OCA\n\n     Unisys Bridge/Maintenance                               Office of the Chief Information Officer (OCIO)\n\n     LMAS-IIP Direct Materials and Services (Formerly        OCA/OCFO\n     called Hosting)\n     LMAS-IIP Infrastructure                                 OCIO\n\n\n\n\n3\n\n                                                        16\n\x0c3. Response to OIG Recommendations\n    3.1. Recommendation 1 Response\nRecommendation: We recommend that the SBA adopt a new Incremental Improvement Project\nunder LMAS to facilitate the transfer of data and move its new COBOL code to a full production\nenvironment.\nThe ESC concurs. This effort will be aligned with the agency\xe2\x80\x99s overall data center consolidation\nstrategy.\n\n\n    3.2. Recommendation 2 Response\nRecommendation: We recommend that the SBA ensure that the Root Cause Analysis Project\nconforms to the scope originally approved by the BTIC. The Root Cause Analysis should: (1) identify\nthe most critical business needs of the SBA; (2) analyze remaining issues when each LMAS IIP is\ncompleted; and (3) develop plans to prioritize additional projects to address SBA\xe2\x80\x99s most important\nbusiness needs.\nThe ESC concurs that the Root Cause Analysis project should address SBA\xe2\x80\x99s most important business\nneeds. As the scope of the IIPs matured with the submission of the FSAB request, the Root Cause\nAnalyses project was defined to address the agency\xe2\x80\x99s critical business needs. For the past two years,\nthe ESC has received updates on the Root Causes Analyses projects and concurred with the scope of\nthe project. SBA\xe2\x80\x99s remaining issues are analyzed and prioritized within each SBA organization\xe2\x80\x99s\noperations and maintenance activities.\n\n\n    3.3.         Recommendation 3 Response\nRecommendation: We recommend that the Office of the Chief Information Officer IT Security\nperform a Security Impact Analysis on the E-Tran user interface screens to determine the security\nimplications of the new user interface screens.\nThe ESC concurs with the recommendation for IT Security to perform a Security Impact Analysis on E-\nTRAN. SBA policies for enhancing an existing accredited system by obtaining approval from the\nChange Control Board (CCB) and Enterprise Change Control Board (ECCB) were followed. However,\nthe ESC is agreeable to IT Security reviewing the security implications of the new user interface\nscreens.\n\n\n    3.4. Recommendation 4 Response\nRecommendation: We recommend that the Office of the Chief Information Officer IT Security, in\nconjunction with the SBA Office of Capital Access, initiate the process of reauthorization of E-Tran\nfor operation due to the changes to the operating environment.\nThe ESC concurs with the recommendation for IT Security to perform reauthorization of E-TRAN. The\nSBA policies for enhancing an existing accredited system by obtaining approval from the CCB and\nECCB were followed. Given the increased functionality of E-TRAN, the ESC is agreeable to performing\n        the security reauthorizations as requested by OIG.\n4\n                                                 17\n\x0c    3.5. Recommendation 5 Response\nRecommendation: We recommend that the Office of the Chief Information Officer implement a\nQuality Assurance program that reports compliance at the project level to the ESC and the BTIC,\nat regular intervals.\nThe ESC concurs with the recommendation for OCIO to implement a QA program that reports at the\nproject level to the ESC and BTIC.\n\n\n    3.6. Recommendation 6 Response\nRecommendation: We recommend that the Office of the Chief Information Officer implement an\nIndependent Verification and Validation program for the LMAS IIP that tests and validates that\neach IIP meets its program and functional requirements.\nThe ESC concurs with the recommendation for OCIO to implement an Independent Verification and\nValidation program for the LMAS IIP that tests and validates that each IIP meets its program and\nfunctional requirements.\n\n\n\n\n                                               18\n\x0c"